A quick post on the LSM, SELinux, and audit highlights merged into Linus' tree during the Linux v7.2 merge window.

https://paul-moore.com/blog/d/2026/06/linux_v72_merge_window.html

#lsm #selinux #audit

I typically only announce my merge window blog posts here, but as we had a relatively large number of LSM, SELinux, and audit changes go into Linus' tree during the RC phase, you may want to take a quick look at the highlights.

https://paul-moore.com/blog/d/2026/06/linux_v71.html

#lsm #selinux #audit

Weird or hard to explain problems with #linux. If you use #selinux, first step is to check #filesystem #security labels. Over the last 12 years, most of my weird unexplained sudden problems have been due to bad/wrong labeling.

Dry-run: `restorecon -Rvn /`.

See if what is being reported and possibly recognizable for your issues. Then run without `-n`.

#fedora is nice, but it's clearly meant to be a workstation distro, not a desktop one

having #selinux in enforcing mode by default clearly implies that the intended mode of use is "any custom service that may be used would be first deployed by the sysadmin, then have the proper selinux policy written for it, then deployed onto the workstations"

and i don't have the skills to write proper selinux policies, at least not yet, my goal is to let dad have a desktop OS he can safely update via GUI, not manage a hundred workstations

gonna try #OpenSUSE next, i guess

okay, so #fedora didn't work as well as i imagined, mostly because of #selinux

i needed to install a separate program and add it as a systemd service, but selinux stood in the way, and trying to actually configure it was too difficult (its scripts need compilation!), so i had to set it to permissive mode instead

Neuer Artikel im Blog. :)

NTFS-ACL , SELinux und AppArmor: ACLs, SIDs und MIC auf Windows, Type Enforcement und Profile auf Linux – technischer Vergleich der Sicherheitsmodelle beider Betriebssysteme

https://just-stuff.blog/ntfs-srm-vs-selinux-apparmor-wer-darf-was-und-warum/

#acl #selinux #apparmor #security #blog #windows #linux

#TechTipThursday: SELinux is enabled by default on Rocky Linux. Before you disable it, learn what it's telling you.

getenforce -- check current mode
sudo ausearch -m avc -ts recent -- see recent denials
sudo sealert -a /var/log/audit/audit.log -- human-readable denial explanations
sudo setenforce 0 -- permissive mode for troubleshooting only

Learning to read SELinux logs beats turning it off every time.
#RockyLinux #Linux #TechTipThursday #SELinux #SysAdmin

Descobri que o editor de leiaute para componentes quebrou de novo no #KNIME, tanto na versão LTS quanto na versão regular (atualização a cada 6 meses).

Com a interface baseada em #Eclipse sendo depreciada, pelo menos aqui no #openSUSE Leap 16, a única saída para modificar a disposição de elementos é utilizar a interface nova da versão regular.

É um problema controlável, mas muito irritante. Para mim, que não desenho dashboards e não me preocupo muito com a ordem das configurações nas folhas de propriedades, diria que é imperceptível na maioria das vezes. O lance é que odeio software funcionando pela metade.

Tentar utilizar a funcionalidade com problemas resulta em encerramento abrupto do programa. Bem ruim.

Pela avaliação do log de erro HotSpot, tem algum problema entranhado numa chamada GTK. Com o #Distrobox apresentando alguns problemas devido ao #SELinux, namespaces e o meu esquema de particionamento com complexidade acima da média, não entendi ainda como contornar o problema.

Minha vontade, no final, é xingar o GTK, mas não sei se estaria sendo injusto. Eu costumo achar que as coisas quebram desnecessariamente. Por que não conseguimos ter software maduro e tedioso?

SELinux on a Fedora 44 desktop usually means: enforcing, but your own session runs unconfined_u — the policy barely restricts *you*.

This repo documents a desktop running staff_u (sysadm_r for admin) instead: 4 foundation layers + 27 topics — systemd sandboxing, custom CIL modules, hardened Flatpak browsers — runnable as Ansible playbooks, each with verify scripts, live-tested on cloud VMs incl. real-reboot survival. Lynis 67→74.

https://github.com/boris-unckel/fedora-desktop-hardening

#SELinux #Fedora #Linux

CI/CD для продакшна: GitLab Registry, Docker in Docker и отказоустойчивость

Если ваш проект перерос стадию “просто собрать” и теперь требует бесперебойной работы в проде, простого пайплайна больше недостаточно. Главная боль — как исключить downtime и иметь возможность мгновенного отката? В третьей части цикла разбираемся с GitLab Container Registry. Мы настроим хранение версий Docker-образов, разберем подводные камни Docker in Docker (dind) и SELinux, а также автоматизируем тестирование перед выкатом. Наконец простейший скрипт для запуска контейнера на production-сервере из вашего приватного Gitlab Registry.

https://habr.com/ru/articles/1044570/

#Docker_Registry #DevOps #Docker_in_Docker #SELinux #GitLab_Runner #контейнеризация #развертывание #CICD #Gitlab_Container_Registry